ASR9K NTP Question

Similar Messages

• Authenticated NTP question

  I am walking my way through the Cisco Best Practices documents and am currently working with NTP.
  Here is my question - to make the security folks happy, I am looking to setup authenticated NTP internally.  I currently have 6509's in place now and dont anticipate moving to Nexus anytime soon.
  I have been looking for a way to run authenticated NTP internally and either not use authenticated NTP externally or use a different key if I go with an authenticated NTP server.  From what I can see, I am not getting enough information to indicate whether or not what I am looking to do is possible or not.
  Any suggestions ?
  Ron

  Hi Ron,
  Just to be clear, what I have understood is:
  You want NTP to authenticate if it is going to sync from internally source
  and if it tries to sync from external source, it shouldn't authenticate.
  Correct me if I'm not in sync with your issue...
  Regards,
  Smitesh

• NTP help

  Hello all! Hope all are having a great day!
  I'm trying to get caught up with NTP issues. Perhaps someone can assist me with some NTP questions that I have.
  I understand what NTP is used for. And I understand the basic premises of how Cisco is using NTP. So, with that in mind, let me give you my scenario.
  Our network is a switched network, with a 3750 as the "LANCORE" switch. With have about 6 distro switchs (3750s), and the rest are daisy chained off the distro switches. So, each distro has anywhere from 10-12 switchs as spokes, with the distro being the hub. That's the basics.
  Now, as of late, I've become interested in reviewing the syslogs, especially since I"m working on my CCNA security. I suddenly became aware that a lot of the switches in the network have horrible time settings. So let me break down what's occurred as I think happened:
  Correct time:
  There are a handful of switches that have the ntp server set as the LANCORE switch, let's call it 172.16.1.1. Authentication is set up between these devices. But when you do a "sho NTP status", it shows that the clock is unsynchronized. The LANCORE switch, 172.16.1.1, is set up to point to the DC of the network as it's source. I think when you do a "sho NTP ass" on this switch, it shows the two domain controller's IP addresses in the first column, then a reference time IP address in the 2nd column. If I'm correct, isn't that what the DC is pointing to to get it's time from?
  Even so, why isn't it showing the clock synchronized? The DC's, as being servers, SHOULD be using NTP so they talk to each other. Microsoft is very very touchy about the clocks being in synch. My only unanswered question would be if the DC's are set up to talk to the LANCORE switch with NTP, which since they were configured like that, I'm guessing there were.
  Incorrect time:
  There are a bunch of devices that are showing incorrect date and time (I'm guessing some kind of default). Their configs are pointing to a device, let's say 172.16.2.1. However, that device is no longer on the network. So I'm guessing that the switches are not contacting that device, and are defaulting to this incorrect date/time combo. It looks like I'll just have to reconfigure all of those switches to point back to the scenario above.
  Any thoughts or suggestions would be appreciated

  Leo's solution was what we used in a secure environment. A dedicated NTP appliance (Datum Tymserve 2100 if memory serves) connected via a rooftop antenna (with optical isolators for that input signal). I see you can pick one up on e-Bay for about US$500 if you're so inclined.
  That said, I've always personally thought NTP authentication was overblown. Exactly what threat are you protecting against? I'd advocate a scheme such I used more recently - point your edge device(s) (e.g. a firewall cluster) to an external (well-known public) NTP source. Point your internal devices (routers, switches and Windows DCs to the firewall as their NTP master. A good firewall (I was using Juniper Netscreens) will report itself as Stratum 1 based on its clock stability.
  Regarding load, NTP is a very low load service. Unless you have thousands (or tens of thousands) of devices all hitting the same server, load due to serving NTP should be negligible.
  Do be sure to setup your devices to set their calendars as well as clocks using NTP and the other best practices as described in Cisco's various documents.

• Timezone in ntp status

  Hi
  Please find below the output of "show ntp status" command on a NTP Server & client Routers.
  NTP Server
  Clock is synchronized, stratum 2, reference is 208.184.49.9
  nominal freq is 250.0000 Hz, actual freq is 250.0001 Hz, precision is 2**18
  reference time is C6D04612.22EA36B7 (21:23:14.136 kuwait Mon Sep 12 2005)
  clock offset is 0.4224 msec, root delay is 217.96 msec
  root dispersion is 1.24 msec, peer dispersion is 0.82 msec
  NTP Client
  Clock is synchronized, stratum 3, reference is xxx.xxx.xxx.xxx (IP address of the NTP Server)
  nominal freq is 250.0000 Hz, actual freq is 250.0055 Hz, precision is 2**24
  reference time is C6D04AF3.9FC434D0 (18:44:03.624 UTC Mon Sep 12 2005)
  clock offset is 0.1061 msec, root delay is 220.26 msec
  root dispersion is 1.07 msec, peer dispersion is 0.03 msec
  The NTP Server's clock timezone (Kuwait) is configured properly. Why the NTP Client router (Shows UTC timezone) doesn't have the same timezone as of the NTP Server?
  Also the following messages keep appearing on the console of the NTP Server Router. Is it related to NTP?
  Sep 12 10:28:43.768: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:29:15.379: %DSX1-6-CLOCK_CHANGE: Controller 1 clock is now selected as clock source
  Sep 12 10:29:25.483: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:29:31.023: %DSX1-6-CLOCK_CHANGE: Controller 0 clock is now selected as clock source
  Sep 12 10:29:32.159: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:29:55.471: %DSX1-6-CLOCK_CHANGE: Controller 1 clock is now selected as clock source
  Sep 12 10:30:56.686: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:31:56.185: %DSX1-6-CLOCK_CHANGE: Controller 1 clock is now selected as clock source
  Sep 12 10:32:04.152: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:32:10.900: %DSX1-6-CLOCK_CHANGE: Controller 0 clock is now selected as clock source
  Sep 12 10:33:26.163: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:33:56.135: %DSX1-6-CLOCK_CHANGE: Controller 0 clock is now selected as clock source
  Sep 12 10:34:09.770: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Sep 12 10:34:16.942: %DSX1-6-CLOCK_CHANGE: Controller 1 clock is now selected as clock source
  Sep 12 10:34:18.046: %DSX1-6-CLOCK_CHANGE: Freerun clock is now selected as clock source
  Appreciate your reply.
  Thanks in advance. // Anup

  Anup
  I believe the console message you ask about is not at all related to your NTP question. It looks to me like something is unstable about clocking for some serial interface or controller.
  The explanation of your NTP question is that NTP transmits time in Universal Time (UTC) and the router translates that time into local timezone if it is configured to do so. Apparently the server has been configured to adjust for local time of Kuwait and the client has not. The command to adjust for local timezone is in global config:
  clock timezone
  If you configure this on the client you should find that the time is correctly translated.
  HTH
  Rick

• Cucm 8 on vm 7.1

  Hi all
  After reading lot off notes in this forum on how to install cucm8 on vmare using windows 7 . I was able to get the installation going. then I was presented w/ NTP question.. I put in an Ip address and hit continue. but it keeps getting that errors that I need to put in valid NTP address. then I decided to power down the vmware machine and restarted at that point I was presented w/ login screen, I was so happy .. so I went and put in admin user/ pass got no access. Tried the user account that I created got no access. Reinstalled CUCM8 again and I had same scenario.. can someone help pls
  Thank you

  So, there is a router between your PC and your Internet gateway?
  Can you ping ntp.ubuntu.com from your host PC? The one where VMWare is running
  Please when you get to the NTP step, press alt+F2, and you will get a shell prompt. Run
  ifconfig
  ping
  And let me know the results. You can get back to the wizard screen pressing alt+F1. Also a packet capture from your PC with Wireshark when you attempt to connect to the NTP server from your CM would be nice.
  Please rate useful posts

• NTP design questions !

  Hi
  Few questions on NTP design
  what value is added by configuring multiple ntp servers apart from redundancy e.g.
  ntp server 1.1.1.1
  ntp server 2.2.2.2
  ntp server 3.3.3.3
  what value is added by configuring multiple ntp peer apart from redundancy e.g.
  ntp peer 1.1.1.1
  ntp peer 2.2.2.2
  ntp peer 3.3.3.3
  What value is added by configuing booth server and peer ?
  ntp server 1.1.1.1
  ntp server 2.2.2.2
  ntp peer 2.2.2.2
  ntp peer 3.3.3.3
  Regards,
  Umair

  Umair
  The answer to your first two questions is pretty much the same. If you configure two servers (or two peers) and the time that they report is quite different then how do you know which one to believe. But if three are configured and one is quite different then you can assume safely that it is incorrect and not believe it.
  HTH
  Rick
  Sent from Cisco Technical Support iPhone App

• Simple NTP source question

  We have had some issues with our network time, which I tracked down to a closed port on an external firewall. However, in tracking this down, a question came up. We have four sources in our NTP config, including the "undisciplined local clock." Since the local clock on a computer is never really accurate, I expect it to drift after a while. Do I really want that as one of my sources? Should I delete it? CAN I delete it?
  Phil

  It is probably worth noting that the local clock is forced to be stratum
  10, which means it is not likely to ever be used UNLESS nothing else can
  be used. Leaving it should not hurt and may keep ntp services from
  unnecessarily complaining when bigger problems are happening (like a lack
  of network connection to any other sources, which is something you'll
  hopefully notice since it probably means a cable fell out of your computer
  or your ISP's switch).
  Good luck.

• Question with NTP authentication on my network

  I want to setup ntp authentication on my network but the problem is, I have a few core devices that use internet sources for synchronization, and my other devices use these core devices to sync their time. If I use ntp authentication on all devices, that will break the cores relationship with the internet sources. Is there any way to do this or is my only option to manually set the core switches time and rely on those clocks?

  Use a dedicated NTP server.  I mean not the one claims to be an NTP server and goes to the internet to get sync.  I'm talking about a TRUE NTP server that has a built-in GPS receiver and an antenna.
  You don't need to rack this unit into the DC.  You don't need to get one that can be racked either.
  True GPS servers, nowadays, can be as small as a portable DVD player (for the car).  They just have a tiny socket at the back to plug your power, RJ-45 and the external (magnetic-based) antenna.  You just deploy this as close as possible to the roof or near a window.

• Asr9k dhcp proxy question

  Hi.
  There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
  An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
  I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
  Is there any way to workaround this?
  Thanks!
  Diego

  DHCP Proxy uses the VIP and not the management IP of the WLC. Is one of the WLC ports connected to your internal network and the other port connected to the FW? Again with DHCP Proxy enabled, traffic will flow to your internal DHCP server as long as you have all the dhcp server address configured on the interfaces and have ip helper-address setup on the L3 interfaces.
  Here is a doc regarding DHCP Proxy:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#DHCP-Proxy

• ASR9K bundle-ether question

  hi guys,I have a question need confirm,could some friends help me.
  the topology is like this
  1 .does this portchannel support or not ,I mean ASR9001 side is router subinterface,C4500X side is SW trunk interface
  2.if this portchannel is support,could i use lacp mode active ?(the old cisco router is not support lacp mode active like this case,only can use on mode)
  Thank you very much.

  Yup this is very much supported and I would recommend to use the option of running lacp for member management.
  mode-on means that all members are hard inserted in the bundle with no state control. mode active means that you are running lacp and negotiate with the peer the member state and inclusion in the bundle.
  on the a9k side you need to define EFP's or subinterfaces in order to peel out the different vlan's for either use as a routed interface or for insertion into a bridgedomain or xconnect.
  regards
  xander

• A unix-like security question?

  Something happened on my Mac the other day, that kind of scared me. First, a little bit about my home setup.
  I have a small smtp mailserver running on my desktop Mac for family members - a big whoppin' five accounts. Three of the five of us live at home, two don't and remotely access email via SSL-enabled imap and SSL-enabled smtp. There is a laptop computer at home that accesses the imap and smtp servers on ports 143 and a non-standard smtp port. Traditionally, it has been used at home only, so I don't require SSL because it runs inside a WPA-protected wireless channel. Its mailserver info, set up in Mail.app, uses {computerName}.local as its mailservers. So, no access from outside my local WLAN. I also get my foreign mail, virus-scanned and spam-assassinated, from an MX agent that downloads that traffic to me on that same non-standard smtp port. For what it's worth, outbound smtp from the home mailserver is via port 25.
  On the desktop Mac, I also have ssh running, but on a non-standard port, and in sshd_config, I specify protocol 2 only, root login disabled, no password/no PAM authentication, only DSA public key authentication. In NetInfo Manger, I keep the root account disabled.
  On the Mac, in System Prefs' Sharing firewall, I have the non-standard smtp port, imap, imaps, non-standard port ssh, ard and vnc (so I can run CotVNC from the laptop at home), and afp (also for the laptop at home) open for uinvited traffic. Also ntp (probably don't need that since I'm not running a time server), and dns (for reasons discussed below). On my DSL router, I only have the non-standard smtp and ssh ports, and the imapS ports open. (When outside my home WLAN, on a foreign network, I port-forward VNC and afp over ssh if I want to do one of those things)
  So anyways, for the benefit of the laptop, I enabled DNS on the desktop, so that I could change the laptop's Mail.app's accounts' preferences to point to the same imaps and smtp server using my external WAN host name, whether it was inside or outside my home LAN (inside the home LAN, the laptop couldn't resolve my external domain name, and outside the home LAN, {computerName}.local was not routable). But by enabling DNS, I could reference my external host name to my 192.168.x.x IP address, and the laptop would find the server inside the home LAN, as well as find it outside the home LAN (by virtue of services like DynDNS and NoIP DNSs resolving it to my ISP-assigned dynamic external WAN IP). For what its worth, yes, the laptop's mail preferences enabled SSL for both smtp and imaps, so SSL would be used even inside the WPA-protected channel, just as my users that don't live at home have SSL enabled as they network .
  Now for the scary part: the other day, while at home and with the laptop affiliated to my home wireless (WPA-protected) LAN, I ssh'ed into my desktop computer. Either the ssh connection or the desktop computer was running dirt slow. For some reason, I decided to do a tcpdump, and I saw all kinds of traffic going out to hosts all over the world.
  After the fact, I think it was just my DNS talking to the sixteen or so root servers, although none of the tcpdump entries used names like "a.root-servers.net" -- there was stuff with an army.mil, a nasa.gov, etc. I think I remember seeing something with a "umd.edu" in it, which there is a commented entry in /var/named/named.ca that has that has a "umd.edu" in it, so that's why I am thinking that my DNS was just gabbing with a bunch of root servers. Not sure why it was gabbing with them since I can't think of any reason why it would have been trying to do name resolutions or anything. At the time, seeing all these packets being initiated by my computer and being sent worldwide freaked me out.
  But what really freaked me out is when I control-C'ed the tcpdump and did a "users" to see who or what might be generating them and saw my username and ... root! Repeating the "users" command a few times more, and it still showed "root" as one of the active users. I immediately ran to the computer and pulled the DSL plug out of the wall, and tried to figure out what was going on. I've got HenWen running, and didn't see anything outside of the usual unicast ARP warnings. After thinking that it might be DNS itself, I disabled DNS just to see what sort of traffic I would see in a tcpdump. Just local subnet broadcasts and arp requests. I have not re-enabled DNS yet.
  And the story gets better: a day or two later, I glance at my System Preferences firewall settings, and the firewall was OFF! Fortunately, the DSL modem's firewall was still on, only allowing uninvited inbound imaps, smtp, and ssh traffic. I don't remember ever turning off the desktop's firewall, and no one else uses that computer -- they all hop on the laptop, plus they don't know the admin password anyways. So that was a little freaky, too, but, I'll assume for now that I must have inadvertently turned it off when I was doing something, and never turned it back on.
  My immediate question is, if you have DNS turned on, would it ever do anything as root, and hence, show up as an active user in response to a "users" command? And not that there were any (/var/cron/tabs) cron jobs scheduled to be active at that particular time, but if there were a /var/cron/tabs/root job actively running, would root then show up as an active user in response to a "users" command?
  Signed,
  Scared!

  Hi J.V.
     First, I have to say that yours is an impressive setup. If you're not a sysadmin, you certainly could be. Also, you have a knowledge of much of this that surpasses mine so I may be of no help. However, I do use the "who" command to see if anyone has broken in and I've never seen the root user listed.
     There are doubtless more processes running as root on a typical system than those running as the user logged into the GUI. However, none of those root processes are the result of a login. I believe that the "users" and "who" commands only report users that are logged in. I don't see the root user with the "who" command even if I create a root shell with sudo. Although I don't know this for a fact, I don't believe that it should be possible to see the root user with the "who" command if the root account is disabled in NetInfo. By the way, I recommend the "who -u" command to the "users" command as it provides quite a bit more information. When I login to my machine via SSH, the domain name of the remote host is included in the output of the "who" command.
     There was a situation on Panther where the root user could be listed in NetInfo Manager as disabled when it was actually enabled. I don't believe that is possible in Tiger but you can check with the command,
  nicl . -read /users/root
  If the password is only a single asterisk or ideally the authentication_authority string contains ";DisabledUser;", the root user should really be disabled.
     I can see that you're quite knowledgeable about networking and comfortable with tools that examine packets. However, there are methods of intrusion detections that aren't directly network related. They may be of use in your situation.
     The simplest is the /var/log/secure.log. Acquisition of root privileges via sudo does show up in this log but there may be enough information about the circumstances to determine which uses of root privileges are normal.
     A more complex method is process accounting. This records every command executed on the system. It provides information similar to the "who" command but doesn't provide the arguments that were used in executing the command nor any process IDs. If you actually do discover unusual activity real time, a full dump of process information with the "ps" command can provide a useful complement to the information recorded by process accounting. You can turn on process account simply by creating a /var/account/acct file and executing:
  sudo accton /private/var/account/acct
  You can read the result with the command:
  sudo lastcomm
  I should warn you that process accounting shouldn't be left on without developing a log rotation mechanism for the above file as it can grow large rather quickly.
     The mechanism for doing for system what Snort does for the network is Security Auditing. This system was developed by Sun and distributed by Apple for OS X in their Common Criteria Tools. To understand the the output of auditing and to customize the configuration requires at least as much study as mastering snort. It can also output a lot of information. However, like Snort, it is the ultimate at what it does.
     There is a minor rootkit for Mac OS X named Opener. Unlike a "real" rootkit it is easy to detect if you know what you're looking for. In reported versions, there is a StartupItem in /Library/StartupItems named "opener". I would check that directory for any unusual StartupItem.
  Gary
  ~~~~
     Adam was but human--this explains it all. He did not want
     the apple for the apple's sake, he wanted it only because
     it was forbidden. The mistake was in not forbidding the
     serpent; then he would have eaten the serpent.
           -- Mark Twain, "Pudd'nhead Wilson's Calendar"

• A few post config questions on new setup

  Hi Group,
  Just a few post config questions.
  First, how can I confirm my controller is in fact associating properly with an NTP server?  On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'.  I cannot see a way to confirm this on the gui or command line.
  Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
  Thanks.

  The third field is from a WLC running v7.4 not v7.2.  I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI.  It had issues working with certain code versions, but you might as well give it a try.
  config network web-auth secureweb disable
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ASA 5505 Interface Security Level Question

  I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
  I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
  The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
  Can someone  show me what I did wrong?
  Thank you for any help!
  To create the VLAN, I did the following:
  int vlan5
  nameif Guest-VLAN
  security-level 10
  ip address 192.168.22.1 255.255.255.0
  no shutdown
  int Ethernet0/1
  switchport trunk allowed vlan 1 5
  switchport trunk native vlan 1
  switchport mode trunk
  no shutdown
  below is the whole config.
  Result of the command: "sho run"
  : Saved
  ASA Version 9.1(3)
  hostname ciscoasa
  enable password zGs7.eQ/0VxLuSIs encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport trunk allowed vlan 1,5
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address <External IP/Mask>
  interface Vlan5
  nameif Guest-VLAN
  security-level 10
  ip address 192.168.22.1 255.255.255.0
  boot system disk0:/asa913-k8.bin
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Inside_Server1_80
  host <Inside_server1_IP>
  object network Inside_Server1_25
  host <Inside_server1_IP>
  object network Inside_Server1_443
  host <Inside_server1_IP>
  object network Inside_Server1_RDP
  host <Inside_server1_IP>
  object service RDP
  service tcp destination eq 3389
  object network Outside_Network1
  host <Outside_Network_IP>
  object network Outside_Network2
  host <Outside_Network_IP>
  object network Outside_Network2
  host <Outside_Network_IP>
  object network TERMINALSRV_RDP
  host <Inside_server2_IP>
  object network Inside_Server2_RDP
  host <Inside_Server2_IP>
  object-group network Outside_Network
  network-object object Outside_Network1
  network-object object Outside_Network2
  object-group network RDP_Allowed
  description Group used for hosts allowed to RDP to Inside_Server1
  network-object object <Outside_Network_3>
  group-object Outside_Network
  object-group network SBS_Services
  network-object object Inside_Server1_25
  network-object object Inside_Server1_443
  network-object object Inside_Server1_80
  object-group service SBS_Service_Ports
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object tcp destination eq smtp
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
  access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
  access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
  access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
  access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
  access-list Guest-VLAN_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu Guest-VLAN 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Inside_Server1_80
  nat (inside,outside) static interface service tcp www www
  object network Inside_Server1_25
  nat (inside,outside) static interface service tcp smtp smtp
  object network Inside_Server1_443
  nat (inside,outside) static interface service tcp https https
  object network Inside_Server1_RDP
  nat (inside,outside) static interface service tcp 3389 3389
  object network TERMINALSRV_RDP
  nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
  object network Inside_Server2_RDP
  nat (inside,outside) static interface service tcp 3389 3390
  nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group Guest-VLAN_access_in in interface Guest-VLAN
  route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 172.16.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
  dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
  dhcpd lease 43200 interface Guest-VLAN
  dhcpd enable Guest-VLAN
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 129.6.15.30 prefer
  username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect icmp
    inspect icmp error
    inspect pptp
  service-policy global-policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
  : end

  Hi,
  To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
  One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
  What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
  Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• How to configure time synchronization for two NTP servers

  We have IOSXR 4.2.1 on routers CRS3 and ASR9K with all recomended SMUs; we need to configure the time synchronization for two NTP servers with the configuration below, but the routers became unstable; synchronize with one NTP servers for some time, then switch to other NTP server, and keep doing this. Anyone know why this behavior?
  ntp
  authentication-key 1 md5 encrypted 01070F074F0A05
  authenticate
  trusted-key 1
  server 10.192.32.32 prefer
  server 10.192.32.33
  source Loopback50
  update-calendar
  RP/0/RP0/CPU0:DFCRSDTC1#sh log | i ntp
  Wed Jul 10 09:37:04.621 BRSPO
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:29:27 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:31:36 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:40:11 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 21:59:26 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 6->2.
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.

  Hi Claudio, that ddts is pretty generic to be honest but yes it is filed to address sync issues in the XR NTP algo.
  The thing is that XR ntp clock selection is a bit different then iOS and follows the specs very closely which results in this erroneous loss behavior.
  For instance, you could also see this issue with a sync loss if the update time is only 500msec off what it was before and that will result in a ntp sync loss rather then adjusting to it.
  Also I wanted to mention that the ntp prefer is a bit of a misnomer in XR (since it follows the specs differently then IOS) and this knob was taken over from IOS really.
  You might get some joy if you set it to one server only and see if that helps?
  regards
  xander

• Use of NTP pool in NTP configuration

  I had the following queries with respect to the use of NTP pool in the NTP configuration on RHEL:
  1) I see the following public servers  from the pool.ntp.org project in the default /etc/ntp.conf file.
  server  0.rhel.pool.ntp.org
  server 1.rhel.pool.ntp.org
  Would using these servers be fine or are there servers specific to India as we are located in India?
  2) Time to be taken from the public servers above may not be ideal, I was wondering how much could the difference in time be say over a 1 month period?
  I hope, my question is clear.
  Please revert with the reply to my query.
  Regards

  1) I see the following public servers  from the pool.ntp.org project in the default /etc/ntp.conf file.
  server  0.rhel.pool.ntp.org
  server 1.rhel.pool.ntp.org
  Would using these servers be fine or are there servers specific to India as we are located in India?
  Use the <n>.in.pool.org servers because they are much closer to you.
  2) Time to be taken from the public servers above may not be ideal, I was wondering how much could the difference in time be say over a 1 month period?
  How long is a piece of string?  Your question is unanswerable.  Syncing with external clock references is fine because you can use as many reference clocks as it takes you to feel comfortable; I'd suggest 4 or 5, and also turn on the local software reference clock.
  111111112dsfsdfsdfsdfsdf